Monday, January 12, 2009

ISO 27001 - The auditor’s perspective

Hello readers,

Wish you all a very happy and prosperous 2009.

During the 2nd last week of 2009, I had a meeting with a prospective client who was interested in implementing an ISO 27001 compliant ISMS and getting it certified. One question which they asked was, “Can I see an ISO 27001 system?”. When I requested them to be specific, they said “You know..all the documents, policies, guidelines etc.”. What I could infer from the discussion was that they clearly thought it was a system which was documented.

Tangibles and intangibles in an ISO 27001 ISMS

I spend some time to explain to them that the ISO 27001 system consisted of tangibles and intangibles. There are things that you can see, touch and feel, but there are a lot of components that you cannot see, touch or feel. This prompted me to go back to some of my earlier experiences with ISO 27001 customers. In most cases, during the initial discussions, most customers were asking the question, “Can I see the ISO 27001 policies that you have created?” During ISO 27001 training sessions, they would invariably ask the question, “Can you give us some sample policies and sample templates using which we can create the policies?” And, when asked, why they were always asking for the policies upfront, the answer invariably would be, “Well, that is what we need to pass the audits and get certified right?” This prompted me to think more about this from the customers’ perspective and ask the question, “Are ISO 27001 audits (especially from a certification process) being misinterpreted for their purpose?”

The smart ISO 27001 auditor looks for..

No doubt, documentation is a very important component from a certification process, but from my perspective, an ISO 27001 auditor, will look for two things,

1 - The existence of the ISMS2 - The functioning of the ISMS

Let us examine, “Point 1 - The existence of the ISMS”. This essentially means whether the P-D-C-A (Plan-Do-Check-Act) model is in place and all the required components of the P-D-C-A model exists. This would start from the Scope, the security forum, the asset classification list, risk analysis approach, the actual risk analysis reports, acceptance of risk, risk treatment and actual proof of risk treatment, audits, reviews etc. Some of these components are tangibles and some of them are intangibles. The smart auditor will spend his time first verifying this.

Let us examine, “Point 2 - The functioning of the ISMS”. The functioning of the ISMS is verified through the review and improvement processes, which comes in the CHECK and ACT phase. The smart auditor will check the internal audit reports, and often ask the question “Have you done a root cause analysis?” This is a very important question because the auditor is probing whether the organization has not just identified the problem, but has gone deep inside to check the root cause of the problem and then solve it. This proves that the ISMS is not just existing, but also functioning.

The broad picture or the Top-level view

So, anyone who is getting ready for an ISO 27001 Implementation and Certification process, please keep the broad picture in mind. This will help you not to get off-track and will help you when you are in a dilemma at certain junctions of the ISO 27001 implementation cycle.

You will have a great ISO 27001 implementation, maintenance and certification experience if you focus on proving two factors.

1) I have an ISMS in my organization2) My ISMS is functioning well

& if you care to come and check, I shall prove both the above points to you. With this attitude you have a winner ISMS in your hands.

ISO 17025 Document - ISO 9001 gives customers and suppliers a single set of guidelines that is accepted worldwide and that can be followed to achieve a definable level of quality. The third-party certification confirms that a company's systems for accepting orders, reviewing customers' specifications, manufacturing and testing products, and delivering those products to its customers are quality controlled and should produce consistent results.

Assessment for ISO Certification Halal Certification approach ensures our client's products are rigorously examined to ensure they meet globally recognised standards of Halal excellence. From ensuring all employees directly involved in the Halal process are Muslim and all ingredients are Halal certified to ensuring they meet the Malaysian Standard of Halal. ISO 9001 provides a framework and set of principles that ensure a common-sense approach to the management of your organization to consistently satisfy customers and other stakeholders. In simple terms, it provides the basis for effective processes and effective people to deliver an effective product or service time after time.